Secure Coding mailing list archives
Re: (Shellcode Injection)
From: Crispin Cowan <crispin () immunix com>
Date: Sun, 14 Dec 2003 02:33:00 +0000
ljknews wrote:
At 6:08 PM -0800 12/12/03, Crispin Cowan wrote:
I'm sorry, but that's wrong. It is entirely possible to avoid shell code injection in type safe languages.
Ok, I will admit to never having heard the term "shellcode injection".
Google did not help, finding only references, not definitions.
Could someone explain in terms that do _not_ assume a Unix or Windows
background ?
Without discussing Unix or Windows issues, probably not :) But here's an
attempt.
A common form of attack against Unix and Windows (and in fact many other
platforms) is to:
1. Inject malicious code into a victim process's address space.
2. Induce the program to jum to the malicious code.
The malicous code often spawns a shell, and so it is called "shellcode".
Observations:
* The malicous code does not always have to be injected, it can also
be in the program's text segment, colloquially known as "return
into libc" attack.
* Inducing the program to jump to the malicious code can be effected
in a variety of ways, including buffer overflows, printf format
string attacks, and other type safety violations endemic to the C
and C++ languages.
I wrote a paper categorizing these attacks and relevant defenses:
"Buffer Overflows: Attacks and Defenses for the Vulnerability of
the Decade". Crispin Cowan, Perry Wagle, Calton Pu, Steve Beattie,
and Jonathan Walpole. DARPA Information Survivability Conference and
Expo (DISCEX) <http://schafercorp-ballston.com/discex/>, Hilton Head
Island SC, January 2000. Also presented as an invited talk at SANS
2000 <http://www.sans.org/sans2000/sans2000.htm>, Orlando FL, March
2000. PDF <http://immunix.com/%7Ecrispin/discex00.pdf>.
However, this paper is now 4 years old, so there are new forms of attack
(printf format string attacks) and defenses (PaX, W^X, Program
Shepperding) that the paper does not cover.
Crispin
--
Crispin Cowan, Ph.D. http://immunix.com/~crispin/
CTO, Immunix http://immunix.com
Immunix 7.3 http://www.immunix.com/shop/
Current thread:
- [SC-L] Jeffrey W. Baker (Dec 12)
- Re: [SC-L] Crispin Cowan (Dec 12)
- Re: (Shellcode Injection) ljknews (Dec 13)
- Re: (Shellcode Injection) Crispin Cowan (Dec 13)
- Re: (Shellcode Injection) ljknews (Dec 14)
- Re: (Shellcode Injection) Crispin Cowan (Dec 14)
- Re: (Shellcode Injection) ljknews (Dec 15)
- Re: (Shellcode Injection) Crispin Cowan (Dec 15)
- Re: (Shellcode Injection) ljknews (Dec 13)
- The right tool for the right job, quit beating on the C language Dana Epp (Dec 14)
- Re: The right tool for the right job, quit beating on the C language ljknews (Dec 14)
- Re: [SC-L] Crispin Cowan (Dec 12)
- Re: (Shellcode Injection) Louis Solomon [SteelBytes] (Dec 15)
- Re: (Shellcode Injection) ljknews (Dec 15)
- Message not available
- Re: (Shellcode Injection) Crispin Cowan (Dec 14)
- <Possible follow-ups>
- RE: [SC-L] Lewis, Todd (Dec 15)